CN103404112A - Vehicle network system - Google Patents

Abstract

In the vehicle network system, multiple ECUs are networked. The plurality of ECUs includes: a first ECU (20), in which a private key ( K1), and the private key and the public key are set based on the initialization process performed when the vehicle network system is created; and the second ECU (21) in which the public key is set (K2). The second ECU (21) adds the authentication key (43) created by the public key (K2) and information capable of specifying the second ECU (21) to the transmission signal, and transmits the transmission signal with the added authentication key to the network (29). The first ECU (20) acquires the authentication key (43) and evaluates the reliability of the communication signal based on the acquired authentication key (43) and the secret key (K1).

Description

vehicle network system

technical field

The present invention relates to a vehicle network system in which a plurality of electronic control units mounted on a vehicle are network-connected to each other and exchange information.

Background technique

By interconnecting a plurality of electronic control units (ECUs) mounted on a vehicle via a network, it is possible to configure a vehicle network system that will enable exchange of information (vehicle information) that the ECUs have. In such a vehicle network system, it is generally possible to easily exchange vehicle information between network-connected ECUs. Meanwhile, it is also easy to mistakenly or intentionally detach a device connected to a network, or mistakenly or intentionally attach a device to a network. Thus, in the event of accidental detachment of a device from the network or attachment of an unexpected device to the network, unauthorized access to the network can occur or the exchange of vehicle information can be affected. Therefore, Japanese Patent Application Publication No. 2005-1534 (JP 2005-1534A) describes an example of a system that can be adapted to a case where an ECU constituting a vehicle network system is removed by disassembly or the like.

In the system described in JP2005-1534A, a vehicle network system is assumed in which, for example, a communication ECU, an engine ECU, a car navigation ECU, and an air-conditioning ECU are communicably connected to each other through a network (communication lines). Since connection identification is performed by each ECU in such a system, when an abnormality in connection with any ECU (installed device) is detected, the operation of this device or other ECUs (installed device) is stopped. Therefore, when any installed device is detached from the vehicle, other installed devices are prevented from operating normally as a device group. As a result, unauthorized actions including device disassembly, that is, vehicle theft are effectively prevented in such a case.

Therefore, the system described in JP2005-1534A can be adapted to the case of detaching a device, but cannot be necessarily properly adapted to the case of adding an unauthenticated device. Therefore, the system cannot ensure security against frequent unauthenticated access associated with addition of devices, such as a replay attack in which a fake signal (alias ) are sent to the network.

For example, in a control area network (CAN) that is often used as a vehicle network, a transmitting device transmits a signal assigned an identifier (CAN ID) that has been assigned to the transmitting device, and the receiving device based on the The identifier of the signal identifies the device transmitting the signal and the content of the signal. As shown in FIG. 12A , in the case of outputting a transmission signal TD110 including an identifier “XX” and data “123 . The receiving device normally obtains a received signal RD111 to RD113 based on the transmitted signal TD110 and comprising the identifier "XX" and the data "123...". Meanwhile, as shown in FIG. 12B , in the case where an unsuitable ECU_A130 is connected to the network system 100, the unsuitable ECU_A130 can use the identifier "XX" used by the ECU_A110 as a normal transmission device to output information including unsuitable The transmission signal TD130 of the appropriate data "999...". As a result, ECU_B111, ECU_C112, and ECU_N113 obtain reception signals RD131 to RD133 including identifier "XX" and data "999...". In such a case, although the transmission signal does not belong to the inappropriate ECU_A 130 , the ECU_B 111 , ECU_C 112 , and ECU_N 113 determine that the signal comes from the ECU_A 110 and perform processing based on inappropriate data. Therefore, an inappropriate ECU_A130 can pretend to be a normal ECU_A110 through unauthenticated access to the network system 100 constituted by CAN, and this also becomes a problem for vehicles with recent advances in the network field.

In systems with high device processing capacity or high network data transmission capacity, it is obviously possible to prevent unauthorized access by using advanced encryption protocols such as Secure Sockets Layer (SSL) that performs encryption every time a signal is transmitted and received , but since high-load calculations are required for the processing of advanced encryption protocols, it is unrealistic to use protocols requiring such high-load calculations in vehicle network systems, where the calculation capacity and data transmission capacity are reduced to necessary minimum limit.

Contents of the invention

The present invention provides a vehicle network system capable of appropriately ensuring the reliability of communication signals under the condition of limited communication capacity between a plurality of network-connected electronic control units.

In a vehicle network system according to an aspect of the present invention, a plurality of control units are provided on a vehicle and are communicably network-connected to each other. The vehicle network system is provided with a plurality of control units provided on a vehicle and communicably networked with each other. The plurality of control units include: a first control unit in which a private key from among a private key and a public key forming a pair is set, and by executing the an initialization process to set a private key and a public key; and a second control unit in which the public key is set. The second control unit is configured to create authentication information from the public key and information capable of specifying the second control device, add the authentication information to a communication signal to be transmitted to other control units, and will have the added authentication information The communication signal is sent to the network. The first control unit is configured to acquire authentication information that has been added to the communication signal transmitted from the second control unit, and evaluate reliability of the communication signal based on the acquired authentication information and the private key.

According to the first aspect described above, since the public key is set when the initialization process is performed, the unit that transmits the communication signal together with the authentication information is specified as a unit included in the vehicle network system when the initialization process is performed. As a result, since the transmitted communication signal with the authentication information added is thus specified as a signal transmitted from a unit included in the vehicle network system during the initialization process, its reliability is ensured. As a result, the reliability of communication signals can be increased.

In the case of storing the authentication information which has thus been created, there is no need to create this authentication information again, and in the subsequent transmission of the communication signal, the processing capacity of the second control unit can be maintained at a conventional level without adding to the Create the payload required for authentication information.

Furthermore, since the content of the authentication information that has been encrypted by the public key has not been falsified, the reliability of the communication signal with the added authentication information can also be increased.

In the first aspect, the second control unit may be configured to divide the authentication information into a plurality of pieces of information, sequentially add the divided authentication information that has been obtained through division to the communication signal, and transmit the The communication signal of the authentication information. The first control unit may be configured to sequentially receive the communication signal, reconfigure the authentication information before the division from the divided authentication information, and evaluate the reliability of the communication signal based on the reconfigured authentication information.

With the above-described configuration, since divided authentication information is transmitted, the amount of communication data required to ensure reliability can be reduced compared to the case where the entire authentication information is added to each transmitted communication signal. In particular, in the case of a vehicle network system designed to have the minimum required capacity and functions, it is possible to increase the reliability of communication signals while suppressing an increase in cost associated with functional enhancement for increasing the reliability of communication signals .

In the above aspect, the first control unit may be configured to generate a private key and a public key by performing initialization processing, and may set the private key to the first control unit itself and the public key to the second Two control units.

With the above-described configuration, since the first control unit generates the private key and the public key when performing initialization processing, the possibility of leaking information on the private key and the public key in advance is eliminated.

In the above aspect, the first control unit may set the public key to the second control unit via a network.

With the above configuration, the public key can be accurately and efficiently distributed to appropriate control units constituting the vehicle network system.

In the above aspect, the second control unit may create the authentication information at a timing when the public key is set.

With the above configuration, since the authentication information is created when the public key is set, the processing load associated with creating the authentication information is not generated when the communication signal is transmitted, and an increase in the processing load in the second control unit is prevented.

In the above aspect, after the authentication information is created, the second control unit may delete the public key that has been set.

With the above configuration, since the public key itself is not necessary after the authentication information has been created, leakage of the public key is prevented and further increased by leaving the authentication information for evaluating the reliability of the communication signal and deleting the public key. reliability of communication signals.

In the above aspect, each time the vehicle network system is started, before transmitting the communication signal, the second control unit transmits the authentication information to the network, and the first control unit may be configured to obtain and store the communication information received from the second control unit. Authentication information that has been previously received for the signal, and the authenticity of the communication signal is evaluated by comparing the stored authentication information with the authentication information added to the communication signal.

With the above configuration, the first control unit can perform reliability evaluation of the communication signal by authenticating the control unit that transmits the communication signal that needs to be evaluated for reliability by authenticating the control unit that transmits the communication signal that needs to be evaluated by the authentication information that is transmitted before transmitting the communication signal every time the vehicle network system is started, without Affected by changes in system configuration. Furthermore, in such a case, the control unit that transmits the communication signal requiring evaluation of reliability is not required to be previously registered in the first control unit. Thus, the flexibility of the system is also increased.

In the above aspect, the first control unit may be configured to prohibit use of the communication signal in the vehicle network system when it is determined that the communication signal transmitted by the second control unit is unreliable.

With the above configuration, when a unit masquerading as the second control unit is connected to the vehicle network system and an unauthenticated signal is transmitted to the vehicle network system, the influence of the unauthenticated signal is eliminated from the vehicle network system. As a result, the possibility of an unauthenticated signal adversely affecting the vehicle network system can be suppressed.

In the vehicle network system according to the second aspect of the present invention, a plurality of control units provided on the vehicle are communicably networked with each other. The vehicle network system includes a plurality of control units provided on the vehicle and communicatively networked with each other. The plurality of control units includes a first control unit in which a private key from among a private key and a public key forming a pair is set, and the private key and the public key are passed through performing an initialization process for activating the system; and a second control unit in which a public key is set. The first control unit is configured to transmit a communication signal to other control units via a network, and also transmits an authentication signal created based on a private key and original authentication data, wherein the original authentication data is generated based on the communication signal, and the second control unit is configured to receive a communication signal and an authentication signal, and evaluate the reliability of the communication signal based on a comparison of reproduced authentication data generated based on the received communication signal and decoded authentication data, which is decoded based on the authentication signal and the public key Decode authentication data.

With the above configuration, since the public key is set when the initialization process is performed, the first control unit that transmits the public key is designated as a device already included in the vehicle network system when the initialization process is performed. The second control unit is able to determine that the transmission origin of the command signal is the first control unit and that the communication signal has not been tampered with by comparing the reproduced authentication data generated from the communication signal with the decoded authentication data obtained by decoding the authentication signal of the first control unit . For example, in a case where a communication signal flowing in the network has been tampered with, authentication data corresponding thereto cannot be tampered with. Therefore, falsification of communication signals can be detected. As a result, a false signal from a device masquerading as the first control device can be detected, and the reliability of the communication signal can be increased.

Furthermore, since the communication signal itself from the first control device is also transmitted to the network, other control devices that do not evaluate the reliability of the communication signal can be conveniently used to receive the communication signal from the first control unit. Therefore, the system for evaluating the reliability of communication signals can also be applied to already existing vehicle network systems.

In the above second aspect, the first control unit is configured to generate the authentication signal by encrypting original authentication data calculated by applying a hash function to the communication signal with a private key, and the second control unit The unit may be configured to calculate regenerated authentication data by applying the hash function to the received communication signal, and to evaluate the reliability of the communication signal based on a comparison of the regenerated authentication data with decoded authentication data obtained by decoding the authentication signal.

With the above configuration, by using a hash function, authentication data of an appropriate size (strength) can be calculated from a communication signal. As a result, flexibility is increased when designing vehicle network systems.

In the above aspect, the first control unit may be configured to generate a private key and a public key by performing initialization processing, and may set the private key to the first control unit itself and the public key to the second Two control units.

With the above-described configuration, since the first control unit generates the private key and the public key when performing initialization processing, the possibility of leaking information on the private key and the public key in advance is eliminated.

In the above aspect, the first control unit may set the public key to the second control unit via a network.

With the above configuration, the public key can be accurately and efficiently distributed to appropriate control units constituting the vehicle network system.

Description of drawings

The features, advantages, and technical and industrial significance of exemplary embodiments of the present invention will be described below with reference to the accompanying drawings, in which like reference numerals represent like elements, and in which:

1 is a block diagram illustrating a schematic configuration of a vehicle network system according to a first embodiment of the present invention;

2 is a diagram schematically illustrating how an ECU of a vehicle network system generates an authentication key;

3A and 3B illustrate divided authentication keywords added to the transmission signal by the ECU of the vehicle network system, FIG. 3A is a schematic diagram schematically illustrating how to extract keywords by dividing the authentication keyword, and FIG. 3B is a schematic diagram A schematic diagram schematically illustrating a configuration of a data format of a transmission signal with an added extraction keyword;

4A and 4B are flowcharts illustrating the steps of a process performed to evaluate the reliability of communication signals in a vehicle network system, FIG. 4A is a flowchart illustrating the steps of a system initialization process, and FIG. 4B is a flowchart illustrating a flowchart of the steps of the process performed to assess the reliability of the communication signal;

5 is a sequence diagram illustrating system initialization processing of the vehicle network system;

FIG. 6 is a sequence diagram illustrating connection management processing of the vehicle network system;

7 is a sequence diagram illustrating data authentication processing of the vehicle network system;

8 is a block diagram illustrating a schematic configuration of a vehicle network system according to a second embodiment of the present invention;

FIG. 9 is a diagram schematically illustrating how signals are transmitted and received in a vehicle network system;

FIG. 10 is a flowchart illustrating the steps of a process of transmitting a signal in a vehicle network system;

11 is a flow chart illustrating the steps of a process performed to evaluate the reliability of a signal based on a signal received in a vehicle network system; and

12A and 12B schematically illustrate the configuration of a conventional vehicle network system, FIG. 12A is a schematic diagram illustrating transmission and reception of signals in a normal state, and FIG. 12B is a schematic diagram illustrating signals when unauthenticated access has occurred. Schematic diagram of transmission and reception.

Detailed ways

(first embodiment)

A first embodiment of a vehicle network system according to the present invention will be explained below with reference to FIGS. 1 to 3 .

As shown in FIG. 1 , a vehicle 10 is provided with a vehicle network system including: first to fourth ECUs 20 to 23 serving as units that perform electronic control of devices mounted on the vehicle; and A network 29 that network-connects the first to fourth ECUs 20 to 23 so that the ECUs can communicate with each other.

The network 29 has specifications suitable for installing the network on the vehicle 10 . In the present embodiment, a control area network (CAN) for vehicles, which is a conventional network, is used as the network 29 . CAN for vehicles has a maximum communication capacity of, for example, 500 kilobits per 1 second (time), and as its specification, can include up to 8 bytes (64 bits) in one data frame (about 5 to 13 bytes) . Furthermore, in the present embodiment, data included in the data frame (transmission signal) transmitted to the network 29 is so-called vehicle information data such as vehicle speed, engine temperature, or the result of processing performed by the ECU.

The first to fourth ECUs 20 to 23 are provided with a communication unit 30 that communicates with each other via a network 29 . Since the communication units 30 of the first to fourth ECUs 20 to 23 have the same function, only the communication unit 30 of the first ECU 20 which functions as the first control unit will be explained in detail below, and for convenience of explanation, the function will be omitted. Explanation of the communication unit 30 of the second to fourth ECUs 21 to 23 acting as the second control unit.

The communication unit 30 of the first ECU 20 receives a transmission signal serving as a communication signal including vehicle information data transmitted from the second to fourth ECUs 21 to 23, extracts the vehicle information data contained in the transmission signal that has been received, and at the Various types of processing are enabled in an ECU 20 . For this purpose, the communication unit 30 removes data to be used for network communication processing, such as "CANID", from the transmission signal received by the network 29 and constituted by the format of the CAN protocol, thereby extracting the vehicle information data, and in the vehicle information data The extracted vehicle information data is stored in the storage device of the first ECU 20 in the state associated with the "CAN ID". "CAN ID" is previously associated with one vehicle information data at a one-to-one ratio. Therefore, based on the "CAN ID" associated therewith, the first ECU 20 can determine the meaning of the extracted vehicle information data. Conversely, when transmitting vehicle information data, the communication unit 30 of the first ECU 20 generates a transmission signal including the vehicle information data transmitted from the first ECU 20 and transmits the generated transmission signal to the network 29 . Accordingly, the communication unit 30 of the first ECU 20 adds "CAN ID" and the like to the vehicle information data to be transmitted, generates a transmission signal having a CAN protocol format, and transmits the generated transmission signal to the network 29. As a result, the first to fourth ECUs 20 to 23 mutually exchange various types of vehicle information data via the network 29 .

For example, the first to fourth 20 to 23 are engine ECU, brake ECU, steering ECU, and driving assistance (navigation system) ECU. The first to fourth ECUs 20 to 23 are arranged around a microcomputer provided with computing means, storage means, nonvolatile memory (ROM), volatile memory (RAM), and nonvolatile storage means (flash memory or hard disk). Various types of information processing based on data and programs stored in a storage device or a memory device are performed by the microcomputer.

Furthermore, the vehicle network system of the present embodiment is provided with a configuration for increasing the reliability of communication signals. Therefore, the first ECU 20 has a function of monitoring the transmission signal flowing to the network 29 and evaluating the reliability of the transmission signal, that is, an authentication master function. Meanwhile, the second to fourth ECUs 21 to 23 have functions of adding an authentication key or the like for authentication to a transmission signal and transmitting a transmission signal with the added authentication key, so as to make the first The ECU 20 is capable of authenticating transmission signals from the second to fourth ECUs 21 to 23 . The configurations of the second to fourth ECUs 21 to 23 will be described below.

The first ECU 20 is provided with a key generating unit 31 that generates a secret key K1 and a public key K2 that form a pair; and a secret key retaining unit 32 that retains the secret key held by The secret key K1 generated by the key generation unit 31. The first ECU 20 is also provided with a connection ECU management unit 33 which registers and manages ECUs connected to the network 29 every time the vehicle 10 is started; and a keyword authentication unit 34 which Evaluation (authentication) processing of the reliability of the transmission signal is performed based on the authentication key encrypted by the public key K2.

The key generation unit 31 forms a pair of secret key K1 and public key K2 (key pair) used in a public key encryption system such as RSA encryption that enables encryption and digital signatures, and uses, for example, encryption by RSA The calculation method specified by the system to generate the key pair to be used for RSA encryption. Therefore, in the case where a key pair is used for encryption, plain text can be encrypted using the public key K2, and the encrypted plain text can be decoded by the private key K2. Furthermore, in the case where a key pair is used for digital signatures, plain text encrypted by the private key K1 can be decoded by the public key K2.

Furthermore, the generation of the key pair by the key generation unit 31 is performed under the condition that the initialization of the vehicle network system is performed. After the key generation unit 31 has generated a pair of private key K1 and public key K2 as a key pair, the generated public key K2 is transmitted to the network 29 once, that is, the public key K2 is made public once. Therefore, in the present embodiment, under the condition that the initialization of the vehicle network system has been performed, the public key K2 is made public only once in the vehicle network system, and is not always disclosed like a typical public key used on the Internet. .

The initialization of the vehicle network system used as a condition for the key generation unit 31 to generate the key pair is initialization processing performed with respect to the vehicle network system in order to activate the configured vehicle network system. For example, initialization of the vehicle network system is purposefully performed only when a battery is connected to the vehicle for shipment or when vehicle preparation accompanied by reconfiguration of the vehicle network system is performed by a car dealer. In other cases, for example, when the vehicle is started to use the vehicle by the ignition key, etc., or when the battery is replaced without any relation to the reconfiguration of the vehicle network system, the initialization of the vehicle network system is not performed and therefore, no A key pair is generated by the key generation unit 31 .

When a key pair is generated and a secret key is usably held only in the first ECU 20 , the secret key holding unit 32 receives from the key generation unit 31 the secret among the pair of keys generated by the key generation unit 31 . Key K1.

The connection ECU management unit 33 receives the authentication key 43 including identification information on each ECU transmitted by the ECU via the network 29 each time the vehicle network system is started following operation of the vehicle 10 with the ignition key or the like. The connected ECU management unit 33 then determines that the ECU specified based on the identification information obtained from the received authentication key 43 is connected to the network 29, registers this ECU in the connection list 331, and manages it usably during operation of the vehicle network system. The connection list 331 in the first ECU 20 . In this embodiment, the authentication key 43 is encrypted by the public key K2, but is decoded by the private key K1 that has been held in the private key holding unit 32, thereby making it possible to acquire the ECU identification information included therein .

The key authentication unit 34 decodes the authentication key 43 encrypted by the public key K2 using the private key K1 held in the private key retention unit 32 as necessary. Furthermore, the keyword authentication unit 34 monitors the transmission signal flowing in the network 29 and acquires the authentication keyword 43 that has been added to the transmission signal. In the present embodiment, part of the authentication key 43 (extraction key) is added to the transmission signal. Therefore, a part of the authentication key 43 is obtained from the transmission signal, and the obtained part of the authentication key 43 is sequentially connected to the transmission signal with the same "CAN ID", thereby reconfiguring the full-sized reconfigured authentication key 341 .

Furthermore, the key authentication unit 34 compares the full-sized reconfigured authentication key 341 with the authentication key 43 held in the connection ECU management unit 33 . The key authentication unit 34 may perform the comparison while the reconfigured authentication key 341 and the authentication key 43 are still encrypted, or may perform the comparison after decoding. As a result, it is verified whether the ECU that has transmitted the transmission signal is the ECU that has transmitted the authentication key 43 managed in the connection list 331 . Therefore, when the reconfigured authentication key 341 matches the authentication key 43 , the ECU that has transmitted the transmission signal is verified as the ECU that has transmitted the authentication key 43 managed in the connection list 331 . Meanwhile, in the case where the reconfigured authentication key 341 and the authentication key 43 do not match, it means that an incorrect transmission signal has been added to the network 29 due to unauthenticated access or the like, and it is determined that the transmission signal cannot be ensured. reliability.

Furthermore, when the reconfigured authentication key 341 and the authentication key 43 do not match, the keyword authentication unit 34 determines that the reconfigured authentication key 341 is not authenticated and prohibits the use of the " CAN ID" transmission signal. For example, the keyword authentication unit 34 prohibits the use of an ECU that has been assigned a "CAN ID" that is prohibited from being used in the vehicle network system, or broadcasts (notifies) information indicating that the transmission signal is not authenticated to the network 29, thereby disconnecting from the vehicle network system. The ECU to be prohibited may cause the system to ignore the transmission signal to be prohibited. As a result, the transmission signal having the "CAN ID" as the object of prohibition does not flow into the network 29 or is thus not processed. Furthermore, in the case where the keyword authentication unit 34 transmits the "CAN ID" which is the object of prohibition to the network 29, the "CAN ID" which is the object of prohibition is transmitted to the second to fourth ECUs 21 to 23 and prohibited from being used in the ECUs Transmission signal with "CAN ID" as prohibited object.

Functions related to evaluation of reliability of transmission signals in the second to fourth ECUs 21 to 23 will be explained below. Since the second to fourth ECUs 21 to 23 have the same functions, only the explanation about the second ECU 21 is provided below. For convenience of explanation, when explaining the third and fourth ECUs 22 and 23 , the same and corresponding functions are assigned the same reference numerals and detailed explanation thereof is omitted here.

The second ECU 21 is provided with: a public key holding unit 41 which receives and holds the public key K2 transmitted from the first ECU 20; and an authentication key generating and holding unit 42 which generates The sum holding unit 42 generates and holds the authentication key 43 by using the public key K2. The second ECU 21 is also provided with: vehicle information data 44, which is composed of vehicle speed, engine temperature, or processing results obtained by the ECU; an authentication keyword adding unit 45, which authenticates the Parts of the keyword 43 are sequentially added to the vehicle information data 44 .

When performing initialization of the vehicle network system, the public key holding unit 41 acquires the public key K2 transmitted from the first ECU 20 , holds the acquired public key K2 , and enables its use in the second ECU 21 .

As shown in FIG. 2 , the authentication key generating and retaining unit 42 issues, for example, the ECU name 211 as essential information capable of specifying the second ECU 21 by using the public key K2 that has been held in the public key retaining unit 41. Or the information of at least one of the serial numbers 212 is encrypted (214), and an authentication key 43 is generated and maintained. Furthermore, the authentication key generation and holding unit 42 transmits the authentication key 43 already held therein to the network 29 every time the vehicle network system is started following the start of the vehicle with the ignition key. The second ECU 21 thus registers the authentication key 43 of the second ECU 21 in the connection list 331 of the connection ECU management unit 33 of the first ECU 20 .

The vehicle information data 44 represents one of vehicle information among vehicle speed, engine temperature, or processing results obtained by the ECU; one type of vehicle information data 44 is previously associated with a "CAN ID". As a result, in the vehicle network system, by referring to "CANID", if there is no unauthorized access, the type of vehicle information included in the vehicle information data 44 and the ECU that has transmitted the vehicle information data 44 can be correctly specified .

The authentication key adding unit 45 sequentially adds the extracted key as a part of the authentication key 43 to the vehicle information data 44 transmitted from the second ECU 21 and having the "CAN ID" assigned. More specifically, as shown in FIG. 3A , the authentication key adding unit 45 sets an "extraction start point" at a random position of the authentication key 43, and sequentially by a predetermined number of bits from the "extraction start point" Extract keywords to obtain extracted keywords 431 to 43n as n pieces of authentication information. In such a case, the extraction (acquisition) of "extraction key" is repeated until the extraction position reaches the end of the authentication key 43, and at this time the extraction position returns to the beginning of the authentication key 43, and "extraction key" is repeated extraction (acquisition) until the extraction position reaches the "extraction start point". Thus, from the authentication key 43, extraction keys 431 to 43n of a predetermined number of bits are extracted n times (predetermined number). Then, as shown in FIG. 3B , the authentication key adding unit 45 sequentially adds one extraction key 431 (to 43 n ) to the vehicle information data 44 . By sequentially adding one extraction key 431 (to 43 n ) to the vehicle information data 44 in this way, the amount of data to be transmitted can be reduced compared with the case of adding the authentication key 43 itself.

As a result, the vehicle information data 44 and the extraction key 431 (to 43n) are transmitted to the communication unit 30, where the CAN ID 215 and the serial number 216 are added thereto, a transmission signal constituted by the data format of the CAN protocol is created, and The created transmission signal is transmitted to the network 29 .

The aforementioned "extraction start point" can be set randomly. For example, it is possible to sequentially calculate adjacent bits by exclusive OR (XOR) with respect to the bit row of the public key K2, and obtain the calculation at a point in time when the number of bits of the calculation result becomes equal to a predetermined expected number of bits result. The "extraction start point" is then set to a position obtained by bit-shifting from the header of the authentication key 43 to the calculation result value that has been obtained in the above-described manner.

The operation of the vehicle network system configured in the above manner will be explained below with reference to FIGS. 4 to 7 . As shown in FIG. 4A , after the vehicle network system has been constructed, a system initialization process is performed to activate the system (step S10 in FIG. 4A ). In the system initialization process, as shown in FIG. 5A , the first ECU 20 as the authentication host ECU generates a pair of secret key K1 and public key K2 (step S11 in FIG. 5 ). The first ECU 20 holds the generated private key K1 in its private key holding unit 32 , and distributes the public key K2 to the second to fourth ECUs 21 to 23 via the network 29 (step S12 in FIG. 5 ). The second to fourth ECUs 21 to 23 that have set the public key K2 create respective authentication keys 43 based on the set public key K2 at the timing of setting the public key K2 and hold the created authentication keys (Step S13 in Fig. 5). When the above-described processing is completed, execution of the system initialization processing ends.

In the case of starting the vehicle network system in a usual manner after performing initialization of the vehicle network system, as shown in FIG. 4B , the vehicle network system performs connection management processing (step S20 in FIG. 4B ) and then performs data authentication processing ( Step S30 in Fig. 4B).

In the connection management process, as shown in FIG. 6 , the authentication key 43 held by the first to fourth ECUs 21 to 23 is transmitted to the network 29 following startup of the vehicle network system (step S21 in FIG. 6 ) . The first ECU 20 receives the authentication key 43 of the second to fourth ECUs 21 to 23, decodes the received authentication key using the private key K1, designates the ECU as the transmission source (step S22 in FIG. 6 ) and also transfers the authentication key The word 43 is associated with the specified ECU and registered in the connection list 331 (step S23 in FIG. 6 ). As a result, an ECU which cannot acquire the public key K2 during initialization of the vehicle network system thereby, for example, an ECU connected after initialization of the vehicle network system has been performed, will not be registered in the connection list 331, so that It is possible to distinguish ECUs that have not been authenticated to connect to the network 29 .

In the data authentication process, as shown in FIG. 7 , the second to fourth ECUs 21 to 23 transmit a transmission signal with the extracted key 431 (to 43 n ) added (step S31 in FIG. 7 ). The first ECU 20 monitors the transmission signal with the added extraction key, and combines the reconfigured authentication key 341 obtained by sequentially acquiring and reconfiguring the extraction key 431 (to 43n) for each "CAN ID" with the The authentication key 43 held in the connection list 331 is compared, thereby verifying the authenticity of the transmitted signal (step S32 in FIG. 7 ). Therefore, when the reconfigured authentication key 341 and the authentication key 43 match (Yes in step S33 in FIG. 7 ), the first ECU 20 determines that the re-authentication key 341 is appropriate and continues to monitor the transmission signal ( step S34).

Meanwhile, when the reconfigured authentication key 341 and the authentication key 43 do not match (NO in step S33 in FIG. 7 ), the first ECU 20 determines that the reconfigured authentication key 341 is not authenticated and disconnects from the vehicle network system. The ECU having the "CAN ID" of the reconfigured authentication key 341 added thereto (step S35 in FIG. 7). The first ECU 20 also prohibits the use in the second to fourth ECUs 21 to 23 with the Transmission signal of "CANID" (step S36 in FIG. 7).

As a result, in the vehicle network system of the present embodiment, the first ECU 20 monitors whether the transmission signal transmitted to the network 29 includes a transmission signal to which inappropriate data has been added with “CAN ID” assigned by the second ECU. Up to fourth ECUs 21 to 23 are added to this transmission signal. When a false transmission signal is included in the transmission signal, the first ECU 20 determines the false signal and prohibits the use of the false transmission signal in the network 29 .

As mentioned above, with the vehicle network system of the present embodiment, the following effects can be obtained. (1) Since the public key K2 is set in the second to fourth ECUs 21 to 23 when executing the initialization process of the vehicle network system, the second to fourth ECUs 21 to 23 that transmit the transmission signal together with the extraction keys 431 to 43n 23 is designated as a unit already included in the vehicle network system when the initialization process is executed. As a result, the transmission signal transmitted when the extraction keywords 431 to 43n are added thereto is designated as the transmission signal transmitted from the second to fourth ECUs 21 to 23 already included in the vehicle network system when the initialization process is executed. As a result, the reliability of the transmission signal can be increased.

(2) Furthermore, in the case where already created extraction keys 431 to 43n (authentication keys 43 ) are stored, it is not necessary to create extraction keys 431 to 43n again. Therefore, during the subsequent transfer of the transfer signal, there is no increase in load required to create the extraction keys 431 to 43n and the processing performance of the second to fourth ECUs 21 to 23 can be maintained at a conventional level.

(3) Furthermore, since the contents of the extraction keys 431 to 43n that have been encrypted by the public key K2 have not been tampered with, the reliability of the transmission signal with the added extraction keys also increases.

(4) Since the extraction keys 431 to 43n (authentication key 43 ) are transmitted at the time of division, by comparison with the case where all the extraction keys 431 to 43n are added to each transmission signal to be transmitted, the It is considered to be the amount of communication data required to ensure reliability. In particular, with a vehicle network system designed with the minimum necessary capacity and functions, the reliability of transmission signals can be increased while suppressing an increase in costs associated with functional enhancements for increasing the reliability of transmission signals.

(5) Since the first ECU 20 generates the private key K1 and the public key K2 during execution of the initialization process, the private key K1 and the public key K2 cannot be leaked in advance. (6) Since the public key K2 is distributed during the initialization process, the public key K2 can be accurately and efficiently distributed to the appropriate second to fourth ECUs 21 to 23 constituting the vehicle network system.

(7) Since the extraction keys 431 to 43n (authentication key 43 ) are created when the public key K2 is set, the keys for creating the extraction keys 431 to 43n (authentication key 43 ) are not generated when the transmission signal is transmitted. processing load, and an increase in processing load in the second to fourth ECUs 21 to 23 can be suppressed.

(8) Every time the vehicle network system is activated, the first ECU 20 authenticates the second to fourth ECUs 21 to 23 by the authentication key 43 transmitted prior to the transmission of the transmission signal, which transmits the required The reliability of the transmitted signal is evaluated, thereby making it possible to perform a reliability evaluation of the transmitted signal which is not affected by, for example, changes in the system configuration. Furthermore, in such a case, it is not required that the second to fourth ECUs 21 to 23 that transmit transmission signals requiring evaluation of reliability be registered in the first ECU 20 in advance. Thus, the flexibility of the system is also increased.

(9) When a device pretending to be the second to fourth ECUs 21 to 23 is connected to the vehicle network system and an unauthenticated signal (false signal) is transmitted to the vehicle network system, since the use of the unauthenticated signal is prohibited, preventing Unauthenticated signals affect vehicle network systems. As a result, it is possible to prevent unauthenticated signals from causing inconvenience in the vehicle network system.

(second embodiment)

A second embodiment of the vehicle network system according to the present invention will be described below with reference to FIGS. 8 and 9 . The main difference between the present embodiment and the first embodiment described above is that an authentication signal that enables reliability evaluation of a transmission signal is transmitted separately from the transmission signal, as necessary. Therefore, differences between the present embodiment and the first embodiment described above will be mainly described below, and for convenience of explanation, the same components will be assigned the same reference numerals and explanations thereof will be omitted.

The communication unit 30 of the first ECU 20 is similar to the communication unit 30 of the first embodiment described above, but in this embodiment, as shown in FIG. 9, "XX" is set to be added to the communication signal used as The value of "CAN ID" of the transmission signal TD10, and "YY" is also set as the value for adding to the value of "CAN ID" of the encrypted signal TS10. This value "YY" is an identifier associated with the value "XX", and in the vehicle network system, the encrypted signal TS10 is previously defined as a so-called authentication signal for evaluating Authenticity of signal TD10, in encrypted signal TS10, value "YY" is set in "CAN ID".

As shown in FIG. 8, provided in the first ECU 20 serving as the first control unit: a key generation unit 31 that generates a private key K1 and a public key K2 forming a pair; and a private key holding unit 32, which holds the secret key K2 generated by the key generation unit 31. In addition, the first ECU 20 is also supplied with vehicle information data 35 constituted by vehicle speed, engine temperature, or processing results obtained with the ECU; an authentication data generation unit 36 that generates an authentication data for authentication data for authenticating a transmission source of the vehicle information data 35; and an encrypted data creation unit 37 that creates encrypted data serving as an authentication signal from the authentication data.

In the same manner as in the first embodiment described above, the key generation unit 31 forms a pair of a secret key K1 and a public key K2 ( key pair), and, for example, use a calculation method specified by the RSA encryption system to generate a key pair to be used for RSA encryption. Therefore, in the case where a key pair is used for encryption, plain text can be encrypted using the public key K2, and the encrypted plain text can be decoded by the private key K2. Furthermore, in the case where a key pair is used for digital signatures, plain text encrypted by the private key K1 can be decoded by the public key K2.

The vehicle information data 35 represent any type of vehicle information from among vehicle speed, engine temperature, or processing results obtained with the ECU, and one "CAN ID" is associated with one type of vehicle information data 35 in advance. As a result, in the vehicle network system, by referring to "CAN ID", if there is no unauthorized access, the type of vehicle information included in the vehicle information data 35 and the ECU that has transmitted the vehicle information data 35 can be correctly specified (for example, first ECU20).

The authentication data creation unit 36 takes the hash value of the vehicle information data 35 obtained by using a predetermined hash function as authentication data for authenticating that the transmission source of the vehicle information data 35 is the first ECU 20 . The hash function generates pseudorandom numbers (hash numbers, message digests) that have been determined in advance from the vehicle information data 35 . In theory, it is very difficult to generate data with the same hash value (for example, unsuitable vehicle information data). Thus, for example, it can be ensured that the authentication data created by the hash function is created from the vehicle information data 35 .

The encrypted data generation unit 37 generates encrypted data from the authentication data based on the secret key K1 held in the secret key retention unit 32 . Since the encrypted data is only decoded by the public key K2, it can be ensured that these public data have been generated by the first ECU 20 in the case where the encrypted data can be decoded by the public key K2.

The configuration related to the function of evaluating the reliability of the transmission signal TD10 provided in the second ECU 21 serving as the second control unit will be explained below. The third and fourth ECUs 22 and 23 are different from the second control unit in that they are not provided with a function of evaluating the reliability of the transmission signal, but other functions are similar to the second ECU 21 and thus an explanation thereof is omitted here.

The second ECU 21 is provided with a public key holding unit 41 that receives and holds the public key K2 transmitted from the first ECU 20 . The second ECU 21 is also provided with: a received data retaining unit 50 which retains the vehicle information data 35 included in the transmission signal TD10 transmitted by the first ECU 20; and an authentication data regeneration unit 51 which The reproduction unit 51 reproduces the authentication data based on the vehicle information data 35 held in the received data retention unit 50 . The second ECU 21 is further provided with: an encrypted data retaining unit 52 which retains encrypted data included in the encrypted signal TS10 transmitted by the first ECU; and a signal reliability evaluating unit 53 which The evaluation unit 53 evaluates the reliability of the transmission signal TD10 based on the authentication data reproduced by the authentication data reproduction unit 51 and the authentication data decoded from the encrypted data.

The received data holding unit 50 acquires and holds the vehicle information data 35 that has been fetched from the transmission signal TD10 transmitted by the first ECU 20 by the communication unit 30 that has received the transmission signal TD10 .

The authentication data reproduction unit 51 has the same hash function as that used by the first ECU 20 to generate the authentication data, and generates a hash of the vehicle information data 35 held in the received data retention unit 50 by using this hash function. value (message digest). Accordingly, the received data retention unit 50 generates reproduced authentication data that is reproduced based on the vehicle information data 35 and the hash function used by the first ECU 20 to generate the authentication data. Normally, if there is no unauthenticated access, the received data retention unit 50 generates reproduced authentication data identical to the authentication data generated by the first ECU 20 .

The encrypted data retaining unit 52 acquires and retains encrypted data taken out by the communication unit 30 having received the encrypted signal TS10 transmitted by the first ECU 20 by removing "CAN ID" considered necessary for communication from the encrypted signal TS10 . Therefore, the encrypted data generated based on the authentication data generated by the first ECU 20 is held.

By decoding the encrypted data held in the encrypted data holding unit 52 based on the public key K2 held in the public key holding unit 41, the reliability evaluation unit 53 acquires decoded authentication data, which is generated by the first ECU 20 authentication data. Since the encrypted data decoded by the public key K2 is only encrypted data that has been encrypted by the private key K1 of the first ECU 20, it is ensured that the encrypted data that can be properly decoded by the public key K2 is data encrypted using the private key K1 , that is, data encrypted by the first ECU20.

The reliability evaluation unit 53 then evaluates the reliability of the transmission signal TD10 based on the comparison of the decoded authentication data obtained by decoding the encrypted data and the reproduced authentication data of the authentication data reproduction unit 51 . As a result, in the case where the decoded authentication data and the reproduced authentication data match, it is ensured that the decoded authentication data was transmitted by the first ECU 20 . Therefore, it is also ensured that the vehicle information data 35 for regenerating the regenerative authentication data is transmitted from the first ECU 20 . Furthermore, since the hash values used as authentication data match, it is also ensured that the plain text data (vehicle information data 35 ) transmitted by the first ECU 20 as the transmission signal TD10 is not falsified into different data on the way.

The operation of the above-configured vehicle network system will be explained below with reference to FIGS. 10 and 11 . As shown in FIG. 9 , the first ECU 20 generates a pair of secret key K1 and public key K2 in the key generation unit 31 when the vehicle network system is initialized, and keeps the generated secret key K1 in the private key. key retention unit 32. At the same time, the first ECU 20 transmits the generated public key K2 to the network 29 and sets the public key to the second ECU 21 . In the present embodiment, the third and fourth ECUs 22 and 23 do not require reliability evaluation of the transmission signal transmitted from the first ECU 20 . Therefore, public key K2 generated by first ECU 20 is not set.

After such initialization processing has ended, the vehicle network system is activated and a transmission signal TD10 requiring reliability evaluation is transmitted from the first ECU 20 to the second ECU 21 . The transmission signal TD10 is a signal structured in the general CAN protocol format and has the value "XX" of the CAN ID and the value "123..." of the plain text data (vehicle information data 35). In the case where the transmission signal TD10 is transmitted to the network 29, the second to fourth ECUs 21 to 23 connected to the same network 29 receive The received signals RD11 to RD13.

However, in the present embodiment, the first ECU 20 transmits the encrypted signal TS10 for reliability evaluation of the transmission signal TD10 to the network 29 before transmitting the transmission signal TD10 . Therefore, as shown in FIG. 10 , the first ECU 20 generates a hash value (message digest) of the vehicle information data 35 which is plain text data as authentication data (step S40 in FIG. 10 ), and generates an encrypted signal TS10 (FIG. Step S41 in 10), the encrypted signal TS10 includes encrypted data obtained by encrypting the generated authentication data with the private key K1. For example, "608..." as authentication data is obtained by encrypting authentication data generated from plain text data "123...". Then, an encrypted signal TS10 is created, structured in CAN protocol format with CAN ID value "YY" and encrypted data value "608...". In the case of creating an encrypted signal TS10, the first ECU 20 transmits the created encrypted signal TS10 (step S42 in FIG. 10 ), and also transmits a transmission signal TD10 (step S42 in FIG. Step S43). As a result, the transmission of the transmission signal TD10 and the transmission of the encrypted signal TS10 for evaluating the reliability of the transmission signal performed by the first ECU 20 are ended.

Meanwhile, the second ECU 21 receives the transmission signal TD10 and the encrypted signal TS10 and also evaluates the reliability of the transmission signal TD10 based on the received transmission signal TD10 and the encrypted signal TS10 . Therefore, as shown in FIG. 11 , the second ECU 21 receives the encrypted signal TS10 (step S50 in FIG. 11 ). By receiving the encrypted signal TS10, the second ECU 21 can predict the transmission of the transmission signal TD10 having the CAN ID value "XX" corresponding to the CAN ID value "YY" of the encrypted signal TS10. When receiving the encrypted signal TS10 , the second ECU 21 decodes the encrypted signal TS10 and obtains decoded authentication data (step S51 in FIG. 11 ). Further, the second ECU 21 obtains the plain text data (vehicle information data 35 ) from the transmission signal TD10 corresponding to the encrypted signal TS10 (step S52 in FIG. 11 ) and also generates a hash value of the plain text data (vehicle information data 35 ) (message digest) as reproduction authentication data (step S53 in FIG. 11 ). In the case of obtaining the decoded authentication data (message digest) and the reproduction authentication data (message digest), the second ECU 21 compares these decoded authentication data with the reproduced authentication data (step S54 in FIG. 11 ). When the comparison result indicates that the decoded authentication data matches the reproduced authentication data (YES in step S55 in FIG. 11 ), the transmission signal TD10 is determined to be appropriate (step S56 in FIG. 11 ). Meanwhile, when the comparison result indicates that the decoded authentication data and the reproduced authentication data do not match (NO in step S55 in FIG. 11 ), transmission signal TD10 is determined to be unauthenticated (step S57 in FIG. 11 ). As a result, the reliability of the transmission signal TD10 was evaluated. The reliability evaluation of the transmission signal TD10 transmitted by the first ECU 20 is thereby completed.

As mentioned above, with the vehicle network system of the present embodiment, the following effects can be obtained.

(10) Since the public key K2 is set when the initialization process is performed, the first control unit that transmits the public key K2 is designated as a unit already included in the vehicle network system when the initialization process is performed. Furthermore, by comparing the reproduction authentication data generated from the transmission signal TD10 with the decoded authentication data obtained by decoding the encrypted data of the first ECU 20 from the encrypted signal TS10, the second ECU 21 can determine that the transmission source of the transmission signal TD10 is the first ECU 20 , and no tampering is added to transmit signal TD10. For example, even if the transmission signal TD10 flowing in the network 29 has been falsified, since the authentication data (encrypted data) of the encrypted signal TS10 corresponding thereto cannot be falsified, falsification of the transmission signal TD10 can be detected. As a result, a false signal transmitted from a device masquerading as the first ECU 20 can be detected and the reliability of the communication signal can be increased.

(11) Furthermore, the transmission signal TD10 itself is also transmitted from the first ECU 20 to the network. Therefore, the third and fourth ECUs 22 and 23 that have not evaluated the reliability of the transmission signal TD10 can receive and use the transmission signal TD10 from the first ECU 20 in a conventional manner. Therefore, the system for evaluating the reliability of the transmission signal TD10 can be easily applied to the currently existing vehicle network system.

(12) The hash function makes it possible to calculate authentication data of an appropriate size (strength) from the transmission signal TD10 , particularly from the vehicle information data 35 . As a result, flexibility is increased when designing vehicle network systems.

(13) Since the first ECU 20 generates the private key K1 and the public key K2 when performing initialization processing, the private key K1 and the public key K2 are prevented from being leaked in advance. (14) Since the public key K2 is distributed during the initialization process, the public key K2 can be accurately and efficiently distributed to the appropriate second ECU 21 constituting the vehicle network system.

(Other Embodiments) The above-described embodiments can also be implemented in the following modes.

In the above-mentioned embodiments, the case where the network 29 is CAN has been explained by way of example. However, such a configuration is not a limitation, and it is also possible to use a conventional network suitable for use as a network for vehicles, such as Ethernet ^™ and FlexRay ^™ . Additionally, the network can use wireless communications, wired communications, or a mixture thereof. As a result, the application range of the vehicle network system is expanded and the flexibility in designing the system is increased.

In the first embodiment, the case where the authentication key 43 is generated at the timing at which the public key K2 is set is explained, but such a configuration is not a limitation, and the authentication key may be generated at any timing provided that it exists in the ECU For the remaining processing capacity, the public key is kept, and the timing of generation is before adding to the communication signal.

In the above-mentioned embodiment, the case where the public key K2 is made public only once is explained, but such a configuration is not a limitation, and the public key may be made public many times as long as it is possible not to acquire a device that has been added without authentication. .

In the first embodiment, the case where the public key K2 is held in the public key retention unit 41 was explained, but such a configuration is not a limitation, and since the public key is not used after the authentication key has been generated, in The public key can be deleted after the authentication key has been generated. Since the public key is thus deleted from the second ECU or the like, the public key is prevented from being leaked after distribution of the public key, and the reliability of communication signals can be further increased.

In the first embodiment, the case where the extraction key 431 (to 43n) is added after the vehicle information data 44 in the transmission signal was explained, but such a configuration is not a limitation, and the extraction key may be added in front of the data or In other locations, as long as a format enabling communication in the network can be maintained. As a result, the flexibility in adding the extraction key to the transmission signal increases, and the application range for evaluating the reliability of the transmission signal expands.

In the first embodiment, the case where the first ECU 20 evaluates the reliability of the transmission signals of all the other ECUs (second to fourth ECUs 21 to 23 ) connected to the network was explained. However, such a configuration is not a limitation, and the first ECU may only evaluate the reliability of communication signals of some (one or more) of the other ECUs connected to the network. In such a case, the flexibility in designing the vehicle network system increases. For example, it is not necessary to add an extraction key to a transmission signal other than a reliability evaluation object.

In the second embodiment, the case where the reliability of the transmission signal transmitted from the first ECU 20 is evaluated by only one ECU (second ECU 21 ) is explained. However, such a configuration is not a limitation, and the reliability of the transmission signal transmitted from the first ECU can be evaluated by a plurality of ECUs (second to fourth ECUs, etc.). As a result, flexibility is increased when designing vehicle network systems.

In the second embodiment, the case where encrypted signal TS10 is transmitted by first ECU 20 as a transmitting ECU before transmitting signal TD10 and encrypted signal TS10 is received by second ECU 21 as a receiving ECU before transmitting signal TD10 is explained. However, such a configuration is not a limitation, and the transmitting ECU may transmit the encrypted signal after transmitting the transmitting signal and the receiving ECU may receive the encrypted signal after transmitting the signal. As a result, flexibility is increased when designing vehicle network systems.

In the first embodiment, the case of using RSA encryption as the public key encryption system was explained, but such a configuration is not restrictive, and other conventional public key encryption systems can be used as long as the requirements for encryption by the public key are satisfied. A relation in which plain text can be decoded with a private key. As a result, flexibility in designing vehicle network systems and their applications expands.

In the second embodiment, the case where RSA encryption is used as the public key encryption system is explained, but such a configuration is not limited, and other conventional public key encryption methods can be used as long as the conditions for encryption by the public key are satisfied. The relation that plain text can be decoded by a private key, ie, as long as the system can be used for digital signatures. As a result, flexibility in designing vehicle network systems and their applications expands.

In the first embodiment, the case where the authentication host is only the first ECU 20 is explained, but such a configuration is not a limitation, and a plurality of authentication hosts may be provided. As a result, the security of the vehicle network system can be maintained at a high level.

In the first embodiment, the case where the first ECU 20 continuously evaluates the reliability of the transmission signal was explained, but such a configuration is not a limitation, and the evaluation and reliability of the transmission signal may be appropriately performed. For example, the reliability of the transmission signal can be evaluated when the frequency of the transmission signal flowing in the network changes abnormally. As a result, the transmission signal can be properly evaluated.

In the second embodiment, the case of associating the "CAN ID" value "YY" with the encrypted signal TS10 corresponding to the transmission signal TD10 was explained, but such a configuration is not a limitation, and can also be changed according to a predetermined rule. The "CAN ID" value used in the encrypted signal corresponding to the transmitted signal. As a result, deceptive use of "CAN ID" and spoofing using "CAN ID" can become more difficult.

In the second embodiment, the case where authentication data is generated by using a hash function is explained, but such a configuration is not a limitation, and authentication data may be generated according to a predetermined calculation rule. As a result, flexibility is increased when designing vehicle network systems.

In the above-described embodiments, the case where the key pair is generated by the first ECU 20 is explained, but such a configuration is not limiting, and a key pair generated in advance may also be used. In the case of using a previously generated key pair, it may be distributed to each ECU in advance. As a result, flexibility is increased when designing vehicle network systems.

Claims (12)

1. vehicle network system comprises:

A plurality of control units, described a plurality of control units are arranged on vehicle and can carry out communicatedly each other network and connect,

Described a plurality of control unit comprises:

The first control unit, be set with the described private key in the middle of private key and public-key cryptography in described the first control unit, described private key and described public-key cryptography form a pair of and by the initialization process that execution is used to activate described system, set; And

The second control unit, be set with described public-key cryptography in described the second control unit, wherein,

Described the second control unit is configured to: from described public-key cryptography and can specify the information of described second control device to create authentication information, described authentication information is added to the signal of communication that will be sent to other control units, and the described signal of communication that will be added with described authentication information is sent to described network; And

Described the first control unit is configured to: obtain the described authentication information that adds the described signal of communication that transmits from described the second control unit to, and assess the reliability of described signal of communication based on the authentication information that obtains and described private key.

2. vehicle network system according to claim 1, wherein,

Described the second control unit is configured to: described authentication information is divided into a plurality of message segments, will by dividing the division authentication information that obtains, sequentially adds signal of communication to, and transmit the described signal of communication that is added with described division authentication information; And

Described the first control unit is configured to: sequentially receive described signal of communication, from described division authentication information, reconfigure authentication information before dividing, and assess the reliability of described signal of communication based on the authentication information that reconfigures.

3. vehicle network system according to claim 1, wherein,

Described the first control unit is configured to: by carrying out described initialization process, generate described private key and described public-key cryptography, and described the first control unit itself is set described private key, and described the second control unit is set described public-key cryptography.

4. vehicle network system according to claim 3, wherein, described the first control unit comes described the second control unit is set described public-key cryptography via described network.

5. the described vehicle network system of any one according to claim 1 to 4, wherein, described the second control unit creates described authentication information in timing place of setting described public-key cryptography.

6. the described vehicle network system of any one according to claim 1 to 5, wherein, after creating described authentication information, the described public-key cryptography that described the second control unit deletion has been set.

7. the described vehicle network system of any one according to claim 1 to 6, wherein, when starting described vehicle network system, described the second control unit was sent to described network with described authentication information before transmitting described signal of communication, and described the first control unit is configured to obtain and be stored in the described authentication information that has received before from described the second described signal of communication of control unit reception, and make comparisons to assess the reliability of described signal of communication by the described authentication information with storing and the authentication information that adds described signal of communication to.

8. the described vehicle network system of any one according to claim 1 to 7, wherein, described the first control unit is configured to: when having determined that described signal of communication is unreliable, forbid in described vehicle network system the use to the signal of communication that is transmitted by described the second control unit.

9. vehicle network system comprises:

A plurality of control units, described a plurality of control units are arranged on vehicle and can carry out communicatedly each other network and connect,

Described a plurality of control unit comprises:

The first control unit, be set with the described private key in the middle of private key and public-key cryptography in described the first control unit, described private key and described public-key cryptography form a pair of and by the initialization process that execution is used to activate described system, set; And

The second control unit, be set with described public-key cryptography in described the second control unit, wherein,

Described the first control unit is configured to: via described network, signal of communication is sent to other control units, and transmitting the authentication signal that creates based on described private key and original authentication data, described original authentication data are based on described signal of communication and generate; And

Described the second control unit is configured to: receive described signal of communication and described authentication signal, and conciliate the reliability of relatively assessing described signal of communication of code authentication data based on the regeneration verify data, described regeneration verify data is based on that received signal of communication generates, and described decoding verify data is based on described authentication signal and described public-key cryptography is decoded.

10. vehicle network system according to claim 9, wherein, described the first control unit is configured to: by utilizing described private key, the original authentication data are encrypted to generate described authentication signal, described original authentication data are by calculating described signal of communication application hash function; And described the second control unit is configured to: calculate described regeneration verify data by the described hash function of the application of the signal of communication to received, and based on the reliability of relatively assessing described signal of communication of described regeneration verify data with the decoding verify data that obtains by described authentication signal is decoded.

11. the vehicle network system described according to claim 9 or 10, wherein, described the first control unit is configured to: by carrying out described initialization process, generate described private key and described public-key cryptography, and described the first control unit itself is set described private key, and described the second control unit is set described public-key cryptography.

12. vehicle network system according to claim 11, wherein, described the first control unit comes described the second control unit is set described public-key cryptography via described network.

Images